"While black box security testing is important for analysing the security of deployed applications, its scope is limited by the fact that the testing resides outside of the application," said Barmak Meftah, VP of Products & Services, Fortify Software. "Our research and early product feedback demonstrates the importance of knowing how many of a web application's security-critical points are covered during a test. In addition to providing this important metric, Fortify Tracer helps security professionals improve the effectiveness of their black box security tests and fix security flaws faster."

By providing code level information, Fortify Tracer helps security professionals adjust their black box testing efforts to cover more of the application and identify additional vulnerabilities. Fortify Tracer can be used in conjunction with any manual or automated security testing procedure, providing consistency and repeatability among independent application security tests.

"Fortify Tracer's code-level information is an exciting complement to AppScan, the market leading web application security testing solution," stated Michael Weider, CTO, Watchfire. "Used together, these two products will give customers a powerful solution that not only yields more secure applications but demonstrates how the Fortify-Watchfire partnership continues to provide meaningful security solutions for both our customers and the industry."

About Fortify Tracer Fortify Tracer provides reports on coverage percentages and code-level details about runtime security errors discovered during automated and manual application penetration tests. Its patent-pending Call Site Monitor technology tracks security-critical APIs, such as database and file system, within the web application itself, and detects runtime vulnerabilities that are not visible through an application's web interface.

Fortify Tracer details which security-critical function points of a given application are actually exercised by specific penetration tests. In doing so, it helps security professionals evaluate and correct their tests, and remediate vulnerabilities much faster by showing them the actual location of vulnerabilities in the source code.

Fortify Tracer features include:

Insightful security coverage reports detail percentage of security-critical functions exercised during a test. Key areas of the application that interact with sensitive interfaces, such as Web input, the database, and the file system, are tracked separately to provide additional coverage information;

Patent-pending Call Site Monitor technology works from inside to provide vulnerability identification at the root cause;

Fortify Tracer currently works on any J2EE executable (.war/.ear) files; users simply point to the file and the Fortify instrumentation engine inserts monitors at security-critical call sites;

Detailed reports show vulnerabilities according to their categories, such as cross-site scripting and SQL injection.

Fortify Tracer is available today.

In a report released today, Fortify Software disclosed its findings that manual and automated web application black box security tests generally reach less than 50% of security-critical sites within the code. The report is based on sixty days of empirical data gathered from Fortify Tracer's black box security tests on numerous applications varying in function, size, and complexity. The full report is available today at www.fortifysoftware.com/fortifytracer/report.

About Fortify Software, Inc. Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products, Fortify Source Code Analysis (SCA), Fortify Tester, Fortify Tracer and Fortify Defender drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and Fortune 500 companies in a wide variety of industries such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration, and information management. The company is backed by a world-class team of software security experts and partners. More information is available at www.fortifysoftware.com .

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice